Secure Boot

From NixOS Wiki
Revision as of 17:34, 8 April 2023 by imported>Onny (Add setup section)

Secure Boot can be enabled on NixOS using the project Lanzaboote. Secure Boot is a UEFI feature that only allows trusted operating systems to boot. Lanzaboote has two components: lzbt and stub. lzbt signs and installs the boot files on the ESP. stub is a UEFI application that loads the kernel and initrd from the ESP.

Warning: Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.]

Requirements

The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled. This can be checked by running bootctl status: 

$ bootctl status
System:
     Firmware: UEFI 2.70 (Lenovo 0.4720)
  Secure Boot: disabled (disabled)
 TPM2 Support: yes
 Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 251.7
...

It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.

Setup

First generate Secure Boot keys using sbctl: 

 sudo nix run nixpkgs#sbctl create-keys

After that switch from lzbt to bootspec by adding following line to the system configuration: 

/etc/nixos/configuration.nix

boot.bootspec.enable = true;
Retrieved from "https://wiki.nixos.org/w/index.php?title=Secure_Boot&oldid=10593"